Apple’s new anonymity feature for iPhones is flawed, researchers say

A feature rolled-out by Apple with the recent release of its new operating system for iPhones and iPads is being called into question by tech experts who say it stops short of offering customers an easy way to protect their privacy.

Mobile devices running Apple’s new iOS8 contain a feature
designed to randomize the phone or tablet’s MAC address, meaning
the unique identifier ascribed to a given iPhone or iPad will
routinely change, in turn making it more difficult to trace the
activities of an iOS-powered gadget to a specific device.

That’s how the function works in theory, at least. According to
recent reports, actually enabling the MAC address randomizer is a
feat that requires extra legwork on the part of the end user —
the likes of which experts expect to rarely occur on a device
that is known for otherwise being rather intuitive.

Last week, researcher Bhupinder Misra at the AirTight blog wrote that certain criteria
must be met before the feature can enable anonymity. According to
his report, a MAC address will be scrambled only if:

Phone is in sleep mode (display off, not being used)
Wi-Fi should be ON but not associated
Location services should be OFF in privacy settings

"If you're using the phone, it doesn't randomize," Misra
explained to the Washington Post. "It's only randomizing
if the location services are off and [the phone] is in sleep
mode. There's only a small percentage of people who would do
that."

Even after his report began to make waves, though, Misra noticed that the function requires even further
action in order to work as intended. In a follow up blog, the
researcher wrote:

“And then something hit me and it is even more ridiculous
(damning) than the earlier finding that location services should
be OFF for random MAC addresses to show up. It has to do with the
cellular data connection setting. Basically, if the phone’s
cellular data connection is ON, there is no MAC randomization! If
you now turn OFF the cellular data connection (Settings ->
Cellular -> Cellular Data OFF), random MAC addresses show
up.”

If an individual with the right iPhone and the latest operating
system indeed follows those steps, then they won’t have any real
issue randomizing their MAC address and can thusly have their
phone appear as a unique gadget whenever it attempts to connect
to a Wi-Fi network. Otherwise, a consistent MAC address can make
it possible to see what networks a device connects to and, if
analyzed appropriately, the geolocation of the phone or tablet at
a given time.

According to Misra, though, few iOS users will go to such
lengths.

“Bottom line, this further shrinks the population which is
covered by MAC address randomization, perhaps to inconsequential
levels and maybe even zero,” he estimated. “Who turns
OFF location services AND turns OFF cellular data connection
while using their iPhone. That is why I now call it ‘iOS8 MAC
RandomGate.’”